Cisco's 6 Unpatched Internal Servers Compromised

Cisco | June 01, 2020

Cisco's 6 Unpatched Internal Servers Compromised
  • Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition .

  • The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled.

  • We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week. Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers. In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.


Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group. Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges. The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.



Read more: COVID-19 PANDEMIC MOVES ORGANIZATIONS TO INCREASE CYBERSECURITY SPENDING

A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability.

~ Information Security Media Group.


SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG. Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled.

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied.


The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update. We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says. Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches. Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet.


SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds. Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities. "There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work," says Jayant Shukla, CTO and co-founder of K2 Cyber Security. Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.


Read more: AI IS CRITICAL FOR AUTOMATION OF CYBERSECURITY THREAT DETECTION AND PREVENTION

Spotlight

HACKERS AND COMPANIES AGREE DATA IS LUCRATIVE. Data is lucrative, both to hackers who steal it and companies who must secure it. Radware’s 2016-2017 Global Application & Network Security Report identifies major attack trends, examines industry preparedness and gives insider views from the frontlines to the corner office. DATA ABDUCTION Data loss or leakage is the key cyber-attack concern for 27% of respondents.

Related News

G-Cloud 12 Redscan services to help protect the public sector against cyber-attacks

prnewswire | September 28, 2020

Redscan, the Managed Detection and Response and Penetration Testing specialist, today announced the availability of its services on G-Cloud 12 – the latest iteration of the UK Government's cloud procurement platform. The Redscan services listed are ThreatDetect– Managed Detection and Response as well as CREST-accredited Penetration Testing and IT Health Checks. These services are designed to enable organisations to reliably secure their infrastructure and assets as well as rapidly detect and respond to threats.

Read More

SOFTWARE SECURITY

Devo Announces Launch of Company’s New Technology Alliance Partner Program

Devo Technology | January 14, 2022

Devo Technology, cloud-native logging and security analytics firm, has announced the launch of its new Technology Alliance Partner program, which is the newest addition to the Devo Drive Partner Program. Check Point, Cybereason, Corelight, Cribl, CyCognito, and Cyware are among the first members of the Technology Alliance Partner Program, which allows Devo and technology partners to create innovative, joint solutions that enhance the value of each other's products and allow customers to increase their SOC's efficiency, maximize their security tools, and achieve complete visibility across their organization. “Devo is fully committed to collaborating with technology partners to build ready-to-deploy technical integrations that offer additional value to our mutual customers,” said Upesh Patel, SVP of Corporate Development at Devo. He further added, “Technology Alliance Partners collaborate with Devo to build solutions that complement, enhance, and extend the value of Devo's cloud-native logging and security analytics capabilities with the capabilities of their offerings. Aligning our business goals and resources will unlock innovation with a customer-driven approach that creates a superior unified experience.” The Technology Alliance Partner program has several advantages. It includes funding to support go-to-market activities and engagement, continuous access to the Devo environment and resources, and enablement and education. “Our partnership with Devo allows customers to detect and prevent sophisticated and mutable cyberattacks targeting multi and hybrid cloud environments,By integrating with Devo’s cloud-native platform, Check Point Infinity SOC simplifies and consolidates security architecture, preventing attacks across network, cloud, endpoint, mobile, and IoT in the work-from-anywhere era.” Jason Min, Head of Business Development at Check Point Software Technologies

Read More

DATA SECURITY

ActZero to Partner with Zeguro to Give Holistic Cyber Risk Management and Response for all Businesses

ActZero | June 10, 2021

ActZero, a cybersecurity startup, has decided to partner with Zeguro, a cyber-insurance provider, to create a complete cyber risk management solution for mid-size and small-size businesses. As ransomware is becoming the norm and bad actors come against SMBs that are less-well-resourced, businesses seek far better solutions for security and insurance. To keep business premiums low and business secure, cyber insurance providers have long been advocated for clients to leverage response and detection capabilities that will reduce various risks of cyber threats in operations. This relationship will enable multiple organizations to know about management strategies of risks across both paths. The intelligent managed detection and response (MDR) service of ActZero provides protection, response, and monitoring 24/7 support. Earlier times, advanced cybersecurity technologies were accessed by corporates only as it was considered a luxury. SMBs can effectively prevent intrusions and manage threats with ActZero. Innovation in machine learning and artificial intelligence and a novel combination of threat-hunting expertise of the platform will assist SMBs for it. ActZero has the capabilities that strengthen its clients to elucidate and toughen their security, strengthen their defense competencies, and significantly decrease risk over time. The mission of Zeguro is to simplify cyber insurance through effortlessly achievable and comprehensible cyber quotes that can obtain in a few minutes. Customers of ActZero can take benefit of its relationship with Zeguro to inexpensively accomplish coverage for loss of revenue from payment fraud, breaches, regulatory fines, ransomware, and more. About ActZero ActZero enables companies to become secure utilizing fewer internal resources. They combine threat hunting expertise with emerging AI and ML technology to identify more vulnerability more quickly, proactively recommend and prioritize actions to seal gaps, rapidly contain and remediate threats and ultimately harden their customers' cybersecurity posture. They illuminate a different path forward for IT and security professionals that don't involve building one's own SOC. About Zeguro Zeguro provides holistic risk management to organizations of all sizes through its integrated cybersecurity and cyber insurance solutions. These solutions include insurance premiums tailored to the sector, size, and profile of a company and a suite of Cyber Safety tools for risk mitigation and compliance.

Read More

Spotlight

HACKERS AND COMPANIES AGREE DATA IS LUCRATIVE. Data is lucrative, both to hackers who steal it and companies who must secure it. Radware’s 2016-2017 Global Application & Network Security Report identifies major attack trends, examines industry preparedness and gives insider views from the frontlines to the corner office. DATA ABDUCTION Data loss or leakage is the key cyber-attack concern for 27% of respondents.